Are Apple products really more secure?

One thing I hear regularly when working in the computer security field are comments from Apple users along the lines of: "Why doesn't everybody use Apple because there are no viruses for Macs?" or "All viruses target Windows because Windows sucks so bad" or "Microsoft is the target because Microsoft sucks!"

None of these comments are based on accurate information about the real security situation facing Apple products. In fact, I would claim that the current security level of Windows 7 is better than on Mac OS X, and that it's more likely we will see a major mobile worm outbreak on iPhone than on smartphones running Windows Phone.

Some years ago, Apple was running a version of their popular "I'm a Mac" TV ad campaign. This particular ad made fun of the PC and the high likelihood of virus infections. Macs, on the other hand, simply had no virus problems, at least according to the advert. This kind of an attitude is still quite common among Mac fans.

What those same Mac fans don't want to hear is the simple truth that the current version of Mac OS X operating system isn't in any significant way more secure than Windows 7. The main reason why Macs have not been attacked more is because there are so few of them compared to PCs. In other words, they simply have not been a very interesting target for online criminals because there is a lot more money to be made from the much larger number of people using PCs.

This is changing, however. Especially Apple laptops have been gaining in popularity and in some markets 10 percent or more of new laptop sales are already Macs. This is starting to make them a more lucrative target for the online criminals.

Attitudes inside Apple are changing, too. The latest release of the OS X operating system actually has an extremely simplified antivirus program built-in. Apple also released this statement: "With virtually no effort on your part, OS X offers a multilayered system of defenses against viruses and other malicious applications, or malware".

We see all this in our labs here at F-Secure. In fact, years ago we used to have our own Mac antivirus product but it was discontinued in 1998 because there was no market for it. Now we have seen more than one hundred new Mac OS X viruses and Trojans, so we are bringing the product back to the market.

Target: iPhone

The situation regarding iPhone is also very interesting. If we look at the global market shares of the smartphone operating systems, Symbian had traditionally been the king of the hill, with more than 50 percent of all smartphones running it; but Symbian share is falling fast -- beaten back by surging Android and iPhone sales and Nokia's transition to Windows Phone 7. Symbian's market share, based on actual sales to end users, fell from 40 percent to 22 percent year over year in second quarter, according to Gartner. In less than four years, the iPhone has gained more than 18 percent of the smartphone market and it's share is still growing fast.

The amount of underground interest in the iPhone has been phenomenal. On the iPhone, you can't install unapproved third-party applications, and you can't use it with the cell phone carrier of your choice. These kinds of restrictions are not taken lightly by the computer underground and as a result, there is a vast amount of information on iPhone internals available on hacker boards and elsewhere.

According to one study, 7 percent of iPhone users have already 'jailbroken' their devices, which means removing all the restrictions on the device so they can use it as they want.

Jailbreaking is dangerous, and we do not recommend it. The main reason why we haven't seen more mobile malware on any smartphone platform is exactly because the code signing or application approval mechanisms make it harder to create simple Trojans or other malware.

Think about it. On all the popular computer operating systems, the application development is totally open. Anybody can write applications and anyone else can run them. This is not the way it works on mobile phones. Anybody can write code, but the code can be run by others only if it is approved by the vendor. This is a major difference in mindset.

The first iPhone worms targeting jailbroken devices, which remain the most vulnerable. Infecting such devices is much easier than trying to access the standard device. Interestingly, while we haven't seen many financially motivated attacks on smartphones, the second known iPhone worm was a banking Trojan. In this particular case, the Trojan targeted customers of a particular Dutch bank and redirected them to a copycat site when they try to do online banking from their phone. We do not believe this attack was particularly successful in stealing money, but it's a clear sign of the kinds of risks that we expect to see more of in the future. Newer Trojans pose greater risk.

Malware that infects iPhones or any other smartphones can also make phone calls which are also money transactions since you pay money for each call. Especially if the call is to an expensive premium-rate number.

However, so far we haven't seen massive mobile malware that infects large numbers of smartphones through these exploits. They either rely on the user to install the malware because he or she thinks it is something useful, or by using known system passwords to gain access, like the first iPhone worms did. It’s also perfectly possible that we will also see more exploit-based worms on standard iPhones in the future. In theory, such worms would be able to go around the world in minutes. F-Secure identified the first iPhone Trojan more than three-and-a-half years ago, and luckily that was just as prank. The clock is ticking.

It's also possible that some criminals will come up with ways of subverting the iPhone signing process. We have seen similar systems bypassed before. For example, a malicious application could be submitted for approval as something harmless, and it would activate at a later date or based on some other threshold.

Finally, it’s worth remembering that even if Apple users don't have as many viruses to worry about, they do still have the same amount of spam and phishing emails as anyone else. So at least some data security headaches are distributed democratically.